We help IT Professionals succeed at work.

Security issues with Front End Server in a DMZ?

davis
davis asked
on
467 Views
Last Modified: 2013-12-04
We currently have a Front End/Back End Exchange configuration which resides completely behind a firewall.  It seems we are having to evaluate the option of sticking the FE server out in the DMZ for direct access to POP, IMAP, etc.  

*Currently, all users access the corporate network via VPN for access to Exchange mail.  Performance (speed) and accessibility issues have been expressed by a number of our users when connecting in this manner.

If we were to only to open the secure ports ->
443 - HTTP (SSL)
993 - IMAP4 (SSL)
995 - POP3 (SSL)
...what are the obvious security risks?

 It appears to be a infrastructure design practice preached by MS and just need to be well-informed about any security before implementing.  The FE is NOT a GC and has no mailbox store mounted...

thanks for any insight!
Comment
Watch Question

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Lots of good resources here - thanks!

To quote an excerpt from your 2nd posted link:
"Just about any firewall will allow packet and port filtering in order to protect your network and Exchange environment. While this is a good start for protecting your servers, it falls short of complete protection since you have to open ports to allow access to the data in your private network. For example, port 25 must be opened to allow for SMTP traffic, port 80 for HTTP."

...with the FE in a perimeter zone (between two firewalls), as shown in the diagram, is the internal network still at risk?  Unclear what can be at risk - the FE, the BE (back-end), or both.

thanks for any clarification!!
I did'nt stydy it all, but the solution is here:

Microsoft Exchange 2000 Server Front-End and Back-End Topology
 Advantages of a Front-End and Back-End Server Environment
 How Front-end and Back-end Topology Works
 Deployment Considerations
 Scenarios
 Configuring a Front-End Server
 Configuring a Back-End Server
 Configuring Firewalls
 Front-end and Back-end Topology Checklist
 Front-end and Back-end Topology Troubleshooting Steps
 Additional Resources
http://www.microsoft.com/technet/prodtechnol/exchange/2000/maintain/e2kfront.mspx
SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp
Remember to have a different/difficult password for the administrator on the FE server, than on the BE and the rest of your servers, and setup auditing on FE

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Author

Commented:
I have used the 'maintain'article quite a bit  - kind of a bible.

I think I found the answer in the article you posted earlier : http://www.microsoft.com/technet/security/prodtech/mailexch/opsguide/e2ksec04.mspx

Also found elsewhere, it stated :
"For security reasons, you don't want to install a front-end server in a DMZ.
Why?  Because you have to open up a whole stack of ports between the
networks.  A much more secure solution is to have the FE server on the
internal network, with ISA Server in the DMZ publishing OWA."

I would imagine it would be sugested to run ISA or some other firewall that will do application proxy.  Something to scan the traffic on IMAP, SMTP, POP before passing on to the mailserver.

Thanks for your references!


Author

Commented:
OOps - meant to Accept the one just above the one I actually accepted.

I found it much more concise and useful
:o) Glad I could help you - thank you for the points
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.